Contents of this Issue

Navigation

Page 18 of 68

We find them interesting and attractive in different ways and at
different levels. We quickly trust them and believe their sincerity.
The other partner may appear cordial and friendly, more reserved
or withdrawn, or even more negative or hostile. But this one person
brings us together and makes us want to establish a friendship.
When it comes to data-security issues, the data breach has that
partner—the one that draws us in and seeks out
our trust and friendship. In many ways this intimate
colleague is critical to the success of both the marriage
and the extended relationships—attracting new and
unsuspecting individuals on a daily basis. In this
partnership the veiled bride is social media.
The Power of Social Media
By using web-based and mobile technologies to
turn communication into interactive dialogue, social
media creates an effective channel for individuals and
groups of people to connect, interact, create, and share.
With businesses constantly positioning to make
news, build their brands, improve communications, and grow
their customer base, companies are using email blasts and a
plethora of platforms to include Facebook, Twitter, LinkedIn, and
YouTube to market their products and services. These powerful
communication tools can have significant influence on awareness,
acceptance, and behavior. They play an important role in many
marketing strategies and are also a common vehicle used by many
of our employees to network and communicate with one another.
Unfortunately, these same resources are opening doors to many of
our data-security issues.
Finding the Weakest Link
"When cybercriminals are looking for ways to breach our
systems, the starting point to penetrate our information typically
has nothing to do with the use of credit cards, even when that's
the information that they're attempting to obtain," says James
Foster, founder and CEO of ZeroFOX in a conversation with
LP Magazine. "But they have to get in somewhere. So what is the
best way in? Attackers will look for the weakest link and a way in
that exploits or manipulates the system at a point of vulnerability.
They'll often use tools that have mass adoption—even if it fails a
thousand times, the one time it does work gets them in. They are
looking for a more covert way to get into the system—one where
they can feed on the user's trust and delay detection. When you put
it together, the easiest venue to leverage is social media."
In our push to get ahead in the highly competitive world
of business, Foster commented that information technologies
must reap immediate benefits. As a result the technology can be
significantly ahead of the controls. "Security measures can lag
behind three to five years," he added. "A company's number-one
asset is its people. This is a common thread, and a prime
opportunity for access. Ninety percent or more of the malware is
getting in through social media."
Foster went on to describe a simple scenario as
an example. If a hacker wants to break into XYZ
Company, they may create an online persona that
mirrors the brand's logo, verbiage, and marketing
style. They build the false content using one of many
social media platforms, along with a link that says
"XYZ Company Rocks." If an employee were to
open the link, it can then open the door for the
hacker to breach the company.
While it may sound like a simple strategy,
hackers have become experts at disguising their
intensions—and it may only take one unsuspecting
employee to be successful. Regrettably, this is only a
single, basic example of a problem with prospects only limited by
the imagination and ingenuity of the hacker. This is the challenge,
and only one of many issues that we can face.
Defense in Depth
So, how do we combat these problems?
"Unfortunately, existing plans are ninety percent reactive, which
is like patching cracks in a dam with bubble gum." Foster says.
"There has to be a plan, a defense-in-depth strategy that proactively
addresses data security." In the information world, it's about
firewalls, intrusion-detection systems, two-factor authentication, and
encryption. These defenses are layered to make them more resilient.
But there has to be more. Our defenses must include a plan and a
partnership that effectively creates a unified team to combat these
threats. This involves a comprehensive approach that would include
the following:
■ A knowledgeable and educated team that communicates well and
works together.
■ A diverse team that can provide different perspectives and offer
comprehensive value.
■ Expert external opinions that provide guidance and will
objectively review the plan.
■ An adequate budget.
■ Privacy and compliance policies.
■ A framework and foundation for governance.
"As retailers expand their offerings and push online services,
internal and external policies, roles and synergies must be
BUILDING A NEW DEFENSE TEAM
Hackers and like-minded mercenaries wage war using information technology to
assault our computers and information systems through cyber-related strategies.
In the retail space we primarily have thieves looking for personally identifiable
information that can be exploited and turned into cash. But there are other
groups as well. There are groups targeting organizations for their research-and-
development assets, intellectual property, and corporate strategies.
James Foster
18
JULY - AUGUST 2014 | LPPORTAL.COM